Computer network security has been an important issue for all types of organizations and corporations for many years. Computer break-ins and misuse have become common. Numbers, as well as sophistication, of attacks on computer systems are also on the rise. Network intruders have overcome password authentication mechanisms designed to protect the system. With an increased understanding of how systems work, intruders have become skilled at determining system weaknesses and exploiting them to obtain unauthorized access. Intruders also use patterns of intrusion that may be difficult to trace and/or identify. Intruders may use several levels of indirection before breaking into target systems and rarely indulge in sudden bursts of suspicious or anomalous activity. If an account on a target system is compromised, intruders may carefully cover their tracks as not to arouse suspicion. Furthermore, threats like viruses and worms may not need human supervision and may be capable of replicating and traveling to connected computer systems. Unleashed at one computer in a network, it may be difficult to trace their origin or the extent of infection by the time they are discovered.
Firewalls are one approach to reducing unauthorized access. Essentially, a firewall is a control layer inserted between an enterprise's computer network and the outside. A firewall may permit only some traffic to pass through. The firewall may be configured by the administrator of the local network based on the enterprise's security policy. For example, a firewall may block traffic of a certain type, traffic from certain addresses, or traffic from all but a predetermined set of addresses.
Intrusion detection has been developed to extend security visibility into a computer network and monitor the activity of users while they are on the network. An Intrusion Detection System/Service (IDS) can augment an end-to-end security solution as a dynamic security component by detecting, responding to, and reporting unauthorized activity from data derived from the computer network.
Network intrusion detection is a process that can identify and respond to misuse or policy violations on a network. By placing sensing enabled (i.e. intrusion monitoring) devices at determined points on a network, network traffic can be monitored and compared against patterns or “signatures” that represent suspicious activity, misuse, or actual attacks. These devices can send alerts to the security management system and, under appropriate circumstances, send commands directly to network equipment such as routers and firewalls, reconfiguring them to deny access to the attacker. The system can automatically and quickly respond in a user-defined manner to send an alert or take immediate action.
Data network security is discussed, for example, in U.S. Pat. No. 6,792,546; U.S. Pat. No. 6,785,821; U.S. Pat. No. 6,775,675; U.S. Pat. No. 6,405,318; and U.S. Pat. No. 6,370,648. The disclosure of each of these patents is hereby incorporated herein in its entirety by reference.
Notwithstanding the network security measures discussed above, there continues to exist a need in the art for improved security methods, devices, and networks.